Printer Friendly

Networked for crime.

A networked PC provides an ideal opportunity for crime. Here's how.

THIS STORY IS NOT ABOUT television ratings wars or soap operas--it's about a terrible reality facing virtually every corporation in the world today. Corporations own millions of computers, many of which are connected to each other and to shared data bases, printers, or modems. While individual PCs are easy and inexpensive to secure, the information on networked systems is particularly vulnerable to theft or damage and is difficult to safeguard from all but the most clumsy attacks. Further, most attacks come form within--from disinterested, dishonest, disgruntled, or disaffected employees. New realities in business and government are forever altering the way we work and exchange information. Consider the following statistics and analyses:

* By 1992, the workplace will contain 30 million PCs, and more than 60 percent of them will be interconnected on local-area networks. (LANS).(1) * Virtually any LAN can be connected to any other nearby LAN with a bridge or router or to distant LANs through telephone lines or data transmission circuits, creating wide-area networks. * A buzzword in computing circles these days is downsizing, which is the migration of data processing from mainframe computers toward minicomputers and microcomputers (PCs). * The number of computer viruses is increasing by 47 percent per year.(2) At the very least, viruses cause weeks of disruption and lost productivity. Affected systems are taken out of service while the virus is identified and removed, often by reformatting the hard drive and removing the virus from programmable memory areas. At worst, vital data is stolen or destroyed. * The average loss to a company through exploitation of computing systems is far greater than the loss from any other form of theft or robbery--by several orders of magnitude. Some estimates place the average insured loss from electronic tampering or exploitation of computer-based systems as high as $500,000. (See chart.)

A networked PC provides an ideal opportunity for crime. The behavior involved in inserting a virus or altering the address in a fund transfer is essentially the same as the behavior involved in writing a letter or preparing a budget estimate on a spreadsheet. Unless a supervisor stands directly behind people and monitors their screens, thieves and saboteurs can do their work in the middle of a room full of people with no one being the wiser--until the consequences of that work become evident.

Having established the scope of vulnerability, let's look at the threats. External threats fall into two groups: covert and overt. Covert threats include intelligence-collection activities by corporate competitors and foreign governments.

Their objective in penetrating LANs and other computing systems is simply to look at and download proprietary or classified information, not to destroy it. The loss to the company or government is competitive position.

The problem with covert threats is that we often don't know that someone has been there. Nothing is missing or out of place, so we don't even know when to become suspicious.

Overt external intruders, on the other hand, include those who would destroy or sabotage files for corporate or political advantage, insert viruses as a prank, or use computers to steal. Finally, nature, with all its earthquakes and electrical storms that vibrate and shock sensitive computing systems into uselessness, is a significant external threat.

The internal threat comes from four types of employees: disinterested, dishonest, disgruntled, and disaffected.

The disinterested employee hasn't read the operations manual and makes mistakes that result in a loss of productivity or system availability. The dishonest employee exploits system weaknesses to his or her advantage but doesn't do so much damage as to draw attention or jeorpardize his or her job.

The disgruntled employee, in a rage over being fired or denied a raise or promotion, attacks the system in revenge. Finally, the disaffected employee, for whatever motives, agrees to work covertly for another company or government.

Fire, flood, and earthquakes do represent a threat, but human error accounts for slightly more than half of all corporate losses related to computing systems. As more people become computer literate, that type of loss should diminish.

Clearly, however, at least a quarter of all losses stem from malice and greed. Indeed, insurers' records show that losses due to external sources are relatively insignificant. The real problem comes from within.

The work force reflects the general population. Without any screening, a company therefore contains felons, psychotics, thieves, and angels in more or less the same proportion as the outside population. Screening devices reduce the incidence of the worst of these types but do not eliminate them.

Moreover, service people need to be evaluated just as rigorously as our most trusted employees. We need to know where our trash is going when it leaves our back door.

The internal threat is persistent: Companies will always have disinterested, dishonest, disgruntled, or disaffected employees. Consider the history of espionage in the United States. Virtually all national security information losses have involved US citizens working in the targeted institutions.

Insiders are particularly severe threats to computing systems because they are normally authorized sufficient access to do significant damage. Passwords or tokens may validate a user's identity, but does that stop him or her from doing something illegal or otherwise unauthorized? Once allowed into most computing systems, the user is free to do whatever he or she chooses. That's the real threat, and it illustrates the futility of password control. FORTUNATELY, some solutions can prevent illegal acts regardless of whether the perpetrator is identified. The principal tools used in these security solutions include the following:

Physical security. The first line of defense is physical barriers to the computing system and physical safeguards that prevent the removal of hardware from the facility.

Identification and authentication. These solutions are provided by passwords and password tokens. They perform a valuable function and, along with physical security safeguards, constitute the front line of defense.

Discretionary access control (DAC). DAC determines which files a person is authorized to access, read, or process. The problem with DAC systems is that once a file has been made available to the user, the user is free to distribute that file however he or she pleases--including renaming and copying the file onto a floppy disk or another file space accessible by persons who do not have the original file. DAC, in effect, transfers data distribution authority to the user.

However, system administrators can use DAC to preclude users from writing to or modifying any operating system files. Unauthorized persons often use those techniques to circumvent low-level safeguards. Since viruses and worms also work by modifying operating system files, a well-written DAC automatically becomes an antiviral tool.

Mandatory access control (MAC). MAC-based systems restrict a user's ability to transfer data to others. The data can only be copied into file spaces secured at the same level as the original authorized level.

Object reuse. To speed up computers, programmers use short cuts. One short cut occurs in file deletion.

Common DOS machines delete a file by renaming it with an ampersand as the first character of the new name. When "DIR" or any other directory-read command is invoked, files marked with an ampersand are ignored. If space is needed to store new data, the disk-management program authorizes overwrites of the old data, but until that moment the actual data represented by that file name remains on the disk in readable format.

Utilities such as PC Tools or Norton Utilities exploit that function to restore "deleted" files. Unfortunately, such restoration also constitutes a breach of security.

The Department of Justice recently suffered a severe compromise of sensitive information about FBI investigations when "old" computers were sold to the public for salvage. PC Tools enabled the new owners to restore and read sensitive reports.

That practice is object reuse. Properly developed security systems invoke an algorithm for deleting the file name from the directory and overwriting the space occupied by that file with random 1's and 0's.

Encryption. Encoding files into unintelligible gibberish is called encryption. If an unauthorized person gains access to encrypted data, it remains secure unless the thief is able to decrypt it.

For commercial purposes or for safeguarding unclassified government data, the Data Encryption Standard (DES) algorithm for encrypting data is a reasonable method for protecting data--except, perhaps, from high-power, government-level analysis. DES-based methods can be implemented in software but are notoriously slow. Thus DES is normally found only in hardware-based security systems. THE FOREGOING FEATURES ACTIVELY contribute to information security. The following features do little to prohibit unauthorized activity but are essential to maintaining an effective information-security environment:

Audit trails. Audit trails are a record of events on a system. Theoretically, every keystroke by all users could be recorded. However, the audit trail has to reside somewhere, and every byte of storage space used by the audit trail is a byte that cannot be used for anything else. Further, every audit record requires time to be written.

Audit trails therefore consume space and time on the system. The more detailed the audit trail, the slower the system runs and the less space there is available for data or program storage on the system.

In practice, audit trails are limited to summaries of the types of activities users engage in. Audit trails do not prevent unauthorized activities. However, audit trail records normally reveal patterns of inappropriate activity and disclose attempts to access unauthorized files or perform unauthorized functions. Audit trails provide a way for management to look over the shoulders of the users to see what they are doing to ensure it is appropriate.

Administration. Security hardware and software cannot provide any level of security without a well-designed, well-implemented security administration program. The degree of security afforded a system is a direct function of the care with which the system administrator understands, observes, and implements sound security practices.

Assurance. Assurance is used to describe the multidimensional, multidisciplinary process by which a secure computing system is put together. The process provides the basis for being confident that the promises implicit in each of the security features is properly invoked in the total working system of the network.

The vendors of network operating systems offer security features that reasonably safeguard the files on the file server. However, network information is also at risk at the workstations and on the network itself.

At a standard, unsecured workstation, there is no control over users or information and no audit or virus protection. On the network, data may be misrouted and intercepted as it flows through the cables. At the file server, though some safeguards are present, no boot protection or virus protection exists, and often there's no audit capability.

Networks consist principally of the file and peripheral servers, workstations, routers, and bridges. The vendors, however, can exercise control only over the file or system server where the operating system resides.

The Novell NetWare operating system, for example, provides for password access control, discretionary access control, and some administration. Passwords are required to access the LAN, and discretionary access control is applied to the file servers.

The addition of second-party security systems provides the full suite of security features. In addition to providing a full range of features throughout the network, such systems encrypt all data at all times except when displayed on workstation monitors or directed to authorized output devices. One such system, produced through a joint venture between Centel Federal Systems and Novell, will soon be submitted to the National Computer Security Center (NCSC) for evaluation as the first C2-level secure network system.

C2 is NCSC's highest security level for sensitive but unclassified information. The Computer Security Act of 1987 requires that sensitive information in the executive branch of government be protected at that level by 1992.

Network managers and senior corporate officials poorly understand the insider threat to PCs and networks. Few companies, and no nation, can afford such ignorance. The vulnerability is real. The threats are real. The solutions, fortunately, are at hand, waiting to be used. [Chart Omitted]

(1)LAN, May 1990. (2)From "Computer Viruses," a booklet Published by the National Computer Security Association, January 1, 1991, p. 6.

Daniel B. Nickell is business development manager for the information security division of Centel Federal Systems Inc. in Reston, VA.
COPYRIGHT 1991 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1991 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:computer networks vulnerable to computer crime
Author:Nickell, Daniel B.
Publication:Security Management
Date:Dec 1, 1991
Previous Article:Enemies disguised as friends.
Next Article:Keeping computers safe.

Related Articles
Computer crime: an emerging challenge for law enforcement.
Crime prevention and the electronic frontier.
Fighting Back Against Online Predators.
FBI to Industry: Share Your Pain.
Hurdles to Cyberjustice.
Cybercrime: finding security in Cyberspace; steps for pour business to take to avoid being a target for high-tech criminals.
On patrol in cyberspace: a look at progress among local, state, and federal efforts to combat cybercrime, including credit card fraud and identity...

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters